UPnP not working with Traffic Shaping Queue (XBOX)



  • I have 2 XBoxes connected to my pfSense network using AON and UPnP just like the sticky in the Gaming forum.

    Traffic shaping was setup using the wizard for a 1 WAN and 1 LAN network and is working quite well with some simple rules to raise the priority of Gaming, DNS and VNC but mostly to prioritize ICMP so apinger doesnt throw latency and packet warnings when my internet connection is maxed out.

    I have setup some floating rules using the standard 88 and 3074 ports for the Xboxes piped into the qGames queue and this works only for one of the Xbox's that uses the standard ports of 88 and 3074.  UPnP randomizes the ports of the second Xbox so my floating rules just dont apply to it.

    Entering qGames in the Traffic Shaping Queue under 'Services/UPnP' I thought would allow the network activity using UPnP to pipe the traffic into the qGames queue without using any floating rules but it doesnt, it just goes into qDefault.  I'm aware of resetting states after making any changes to the Traffic Shaper or the floating rules so I dont believe its me and user error.

    Can anyone confirm this to be a bug, or give any insight or thoughts into why UPnP is not using the Traffic Shaping Queue I've setup.  Running the latest 2.0B4 snaps, thanks in advance.



  • Can you try this change manually and report if it fixes the issue for you?

    
    diff --git a/etc/inc/filter.inc b/etc/inc/filter.inc
    index 486cd12..2e3a6b9 100644
    --- a/etc/inc/filter.inc
    +++ b/etc/inc/filter.inc
    @@ -2157,6 +2157,9 @@ EOD;
             */
            $ipfrules .= << <eod<br>+# uPnPd
    +anchor "miniupnpd"
    +
     # loopback
     pass in on \$loopback all label "pass loopback"
     pass out on \$loopback all label "pass loopback"
    @@ -2316,9 +2319,6 @@ EOD;
            $ipfrules .= << <eod<br>anchor "tftp-proxy/*"
    
    -# uPnPd
    -anchor "miniupnpd"
    -
     EOD;
    
            return $ipfrules;</eod<br></eod<br> 
    


  • Thanks for the reply Ermal, I patched the filter.inc file, disabled my xbox floating rules, and then rebooted for good measure.

    Sadly, traffic still gets piped through qDefault and UPnP is ignoring my qGames queue.



  • Show me the pfctl -vsr
    and pfctl -a miniupnpd -vsr

    To see what kind of rules upnpd generates.



  • $ pfctl -vsr
    scrub in on em1 all random-id fragment reassemble
      [ Evaluations: 44656     Packets: 12965     Bytes: 5477242     States: 0     ]
      [ Inserted: uid 0 pid 55111 ]
    scrub in on em0 all random-id fragment reassemble
      [ Evaluations: 21932     Packets: 9078      Bytes: 538599      States: 0     ]
      [ Inserted: uid 0 pid 55111 ]
    anchor "relayd/*" all
      [ Evaluations: 1658      Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 55111 ]
    block drop in log all label "Default deny rule"
      [ Evaluations: 1658      Packets: 127       Bytes: 14973       States: 0     ]
      [ Inserted: uid 0 pid 55111 ]
    block drop out log all label "Default deny rule"
      [ Evaluations: 1658      Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 55111 ]
    block drop in quick inet6 all
      [ Evaluations: 1658      Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 55111 ]
    block drop out quick inet6 all
      [ Evaluations: 839       Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 55111 ]
    block drop quick proto tcp from any port = 0 to any
      [ Evaluations: 1658      Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 55111 ]
    block drop quick proto tcp from any to any port = 0
      [ Evaluations: 466       Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 55111 ]
    block drop quick proto udp from any port = 0 to any
      [ Evaluations: 1658      Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 55111 ]
    block drop quick proto udp from any to any port = 0
      [ Evaluations: 1171      Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 55111 ]
    block drop quick from <snort2c>to any label "Block snort2c hosts"
      [ Evaluations: 1658      Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 55111 ]
    block drop quick from any to <snort2c>label "Block snort2c hosts"
      [ Evaluations: 1658      Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 55111 ]
    block drop in log quick proto tcp from <sshlockout>to any port = xxxxx label "sshlockout"
      [ Evaluations: 1658      Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 55111 ]
    block drop in log quick proto tcp from <webconfiguratorlockout>to any port = xxxxx label "webConfiguratorlockout"
      [ Evaluations: 302       Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 55111 ]
    block drop in quick from <virusprot>to any label "virusprot overload table"
      [ Evaluations: 819       Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 55111 ]
    block drop in log quick on em1 from <bogons>to any label "block bogon networks from WAN"
      [ Evaluations: 819       Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 55111 ]
    block drop in on ! em1 inet from xxx.xxx.xxx.xxx/22 to any
      [ Evaluations: 819       Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 55111 ]
    block drop in inet from xxx.xxx.xxx.xxx to any
      [ Evaluations: 819       Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 55111 ]
    block drop in on em1 inet6 from fe80::250:56ff:fe14:5297 to any
      [ Evaluations: 819       Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 55111 ]
    pass in on em1 proto udp from any port = bootps to any port = bootpc keep state label "allow dhcp client out WAN"
      [ Evaluations: 404       Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 55111 ]
    pass out on em1 proto udp from any port = bootpc to any port = bootps keep state label "allow dhcp client out WAN"
      [ Evaluations: 1147      Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 55111 ]
    block drop in on ! em0 inet from xxx.xxx.xxx.xxx/24 to any
      [ Evaluations: 1658      Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 55111 ]
    block drop in inet from xxx.xxx.xxx.xxx to any
      [ Evaluations: 828       Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 55111 ]
    block drop in on em0 inet6 from fe80::250:56ff:fe14:528d to any
      [ Evaluations: 819       Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 55111 ]
    pass in on em0 inet proto udp from any port = bootpc to 255.255.255.255 port = bootps keep state label "allow access to DHCP server"
      [ Evaluations: 415       Packets: 6         Bytes: 1968        States: 0     ]
      [ Inserted: uid 0 pid 55111 ]
    pass in on em0 inet proto udp from any port = bootpc to xxx.xxx.xxx.xxx port = bootps keep state label "allow access to DHCP server"
      [ Evaluations: 3         Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 55111 ]
    pass out on em0 inet proto udp from xxx.xxx.xxx.xxx port = bootps to any port = bootpc keep state label "allow access to DHCP server"
      [ Evaluations: 1028      Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 55111 ]
    pass in on lo0 all flags S/SA keep state label "pass loopback"
      [ Evaluations: 1658      Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 55111 ]
    pass out on lo0 all flags S/SA keep state label "pass loopback"
      [ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 55111 ]
    pass out all flags S/SA keep state allow-opts label "let out anything from firewall host itself"
      [ Evaluations: 1658      Packets: 305       Bytes: 108042      States: 1     ]
      [ Inserted: uid 0 pid 55111 ]
    pass out route-to (em1 xxx.xxx.xxx.xxx) inet from xxx.xxx.xxx.xxx to ! xxx.xxx.xxx.xxx/22 flags S/SA keep state allow-opts label "let out anything from firewall host itself"
      [ Evaluations: 839       Packets: 8398      Bytes: 5970779     States: 18    ]
      [ Inserted: uid 0 pid 55111 ]
    pass in on em1 inet proto tcp from any to xxx.xxx.xxx.xxx port = pptp flags S/SA modulate state label "allow pptpd xxx.xxx.xxx.xxx"
      [ Evaluations: 1658      Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 55111 ]
    pass out proto udp from any to any port = domain keep state label "USER_RULE: m_Other Web outbound 1" queue qOthersHigh
      [ Evaluations: 1658      Packets: 1291      Bytes: 164377      States: 0     ]
      [ Inserted: uid 0 pid 55111 ]
    pass out proto udp from any to any port 67:68 keep state label "USER_RULE: m_Other Web outbound 1" queue qOthersHigh
      [ Evaluations: 674       Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 55111 ]
    pass out proto tcp from any to any port = domain flags S/SA keep state label "USER_RULE: m_Other Web outbound 2" queue(qOthersHigh, qACK)
      [ Evaluations: 839       Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 55111 ]
    pass out proto tcp from any to any port 67:68 flags S/SA keep state label "USER_RULE: m_Other Web outbound 2" queue(qOthersHigh, qACK)
      [ Evaluations: 164       Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 55111 ]
    pass out proto udp from any to any port = kerberos-sec keep state label "USER_RULE: m_Game xbox360-1 outbound" queue qGames
      [ Evaluations: 839       Packets: 10        Bytes: 11444       States: 0     ]
      [ Inserted: uid 0 pid 55111 ]
    pass out proto udp from any to any port = 3074 keep state label "USER_RULE: m_Game xbox360-1 outbound" queue qGames
      [ Evaluations: 674       Packets: 2017      Bytes: 612802      States: 2     ]
      [ Inserted: uid 0 pid 55111 ]
    pass out proto udp from any to any port = 39954 keep state label "USER_RULE: m_Game xbox360-1 outbound" queue qGames
      [ Evaluations: 674       Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 55111 ]
    pass out proto udp from any to any port = 3658 keep state label "USER_RULE: m_Game xbox360-1 outbound" queue qGames
      [ Evaluations: 674       Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 55111 ]
    pass out proto udp from any to any port = 49152 keep state label "USER_RULE: m_Game xbox360-1 outbound" queue qGames
      [ Evaluations: 674       Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 55111 ]
    pass out proto tcp from any to any port = kerberos-sec flags S/SA keep state label "USER_RULE: m_Game xbox360-2 outbound" queue(qGames, qACK)
      [ Evaluations: 839       Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 55111 ]
    pass out proto tcp from any to any port = 3074 flags S/SA keep state label "USER_RULE: m_Game xbox360-2 outbound" queue(qGames, qACK)
      [ Evaluations: 164       Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 55111 ]
    pass out proto tcp from any to any port = 39954 flags S/SA keep state label "USER_RULE: m_Game xbox360-2 outbound" queue(qGames, qACK)
      [ Evaluations: 164       Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 55111 ]
    pass out proto tcp from any to any port = 3658 flags S/SA keep state label "USER_RULE: m_Game xbox360-2 outbound" queue(qGames, qACK)
      [ Evaluations: 164       Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 55111 ]
    pass out proto tcp from any to any port = 49152 flags S/SA keep state label "USER_RULE: m_Game xbox360-2 outbound" queue(qGames, qACK)
      [ Evaluations: 164       Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 55111 ]
    pass out inet proto icmp all keep state label "USER_RULE: m_Other ICMP outbound" queue qACK
      [ Evaluations: 839       Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 55111 ]
    block drop in quick on em1 reply-to (em1 xxx.xxx.xxx.xxx) inet proto igmp from any to 224.0.0.1 label "USER_RULE: Multicast (No Log)"
      [ Evaluations: 1658      Packets: 18        Bytes: 504         States: 0     ]
      [ Inserted: uid 0 pid 55111 ]
    block drop in quick on em1 reply-to (em1 xxx.xxx.xxx.xxx) inet proto udp from <rr_dhcp_server>port = bootps to 255.255.255.255 port = bootpc label "USER_RULE: RR DHCP Broadcast (No Log)"
      [ Evaluations: 386       Packets: 308       Bytes: 110368      States: 0     ]
      [ Inserted: uid 0 pid 55111 ]
    block drop in log quick on em1 reply-to (em1 xxx.xxx.xxx.xxx) inet from <private_networks>to any label "USER_RULE: Block Private Networks"
      [ Evaluations: 78        Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 55111 ]
    block drop in log quick on em1 reply-to (em1 xxx.xxx.xxx.xxx) inet from <spynet>to any label "USER_RULE: Block Microsoft SpyNet"
      [ Evaluations: 78        Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 55111 ]
    pass in quick on em1 reply-to (em1 xxx.xxx.xxx.xxx) inet proto udp from any to xxx.xxx.xxx.xxx port = 8460 keep state label "USER_RULE: Road Warrior OpenVPN"
      [ Evaluations: 78        Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 55111 ]
    block drop in quick on em0 inet proto igmp from any to 224.0.0.1 label "USER_RULE: Multicast (No Log)"
      [ Evaluations: 502       Packets: 2         Bytes: 72          States: 0     ]
      [ Inserted: uid 0 pid 55111 ]
    block drop in log quick on em0 inet proto tcp from xxx.xxx.xxx.xxx/24 to ! xxx.xxx.xxx.xxx port = domain label "USER_RULE: Block Rogue DNS"
      [ Evaluations: 413       Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 55111 ]
    block drop in log quick on em0 inet proto udp from xxx.xxx.xxx.xxx/24 to ! xxx.xxx.xxx.xxx port = domain label "USER_RULE: Block Rogue DNS"
      [ Evaluations: 189       Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 55111 ]
    block drop in quick on em0 inet proto tcp from <consoles>to xxx.xxx.xxx.xxx port = xxxxx label "USER_RULE: Block Consoles from Admin"
      [ Evaluations: 413       Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 55111 ]
    block drop in quick on em0 inet proto tcp from <consoles>to xxx.xxx.xxx.xxx port = xxxxx label "USER_RULE: Block Consoles from Admin"
      [ Evaluations: 6         Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 55111 ]
    block drop in quick on em0 inet proto udp from <consoles>to xxx.xxx.xxx.xxx port = xxxxx label "USER_RULE: Block Consoles from Admin"
      [ Evaluations: 195       Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 55111 ]
    block drop in quick on em0 inet proto udp from <consoles>to xxx.xxx.xxx.xxx port = xxxxx label "USER_RULE: Block Consoles from Admin"
      [ Evaluations: 2         Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 55111 ]
    block drop in log quick on em0 inet from xxx.xxx.xxx.xxx/24 to <spynet>label "USER_RULE: Block Microsoft SpyNet"
      [ Evaluations: 413       Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 55111 ]
    pass in quick on em0 inet from xxx.xxx.xxx.xxx/24 to any flags S/SA keep state label "USER_RULE: LAN To Any"
      [ Evaluations: 411       Packets: 12023     Bytes: 7670033     States: 22    ]
      [ Inserted: uid 0 pid 55111 ]
    block drop in log quick on openvpn inet proto tcp from xxx.xxx.xxx.xxx/28 to ! xxx.xxx.xxx.xxx port = domain label "USER_RULE: Block Rogue DNS"
      [ Evaluations: 129       Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 55111 ]
    block drop in log quick on openvpn inet proto udp from xxx.xxx.xxx.xxx/28 to ! xxx.xxx.xxx.xxx port = domain label "USER_RULE: Block Rogue DNS"
      [ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 55111 ]
    pass in quick on openvpn inet from xxx.xxx.xxx.xxx/28 to any flags S/SA keep state label "USER_RULE: OVPN To Any"
      [ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 55111 ]
    block drop in log quick on pptp inet proto tcp from xxx.xxx.xxx.xxx to ! xxx.xxx.xxx.xxx port = domain label "USER_RULE: Block Rogue DNS"
      [ Evaluations: 129       Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 55111 ]
    block drop in log quick on pptp inet proto udp from xxx.xxx.xxx.xxx to ! xxx.xxx.xxx.xxx port = domain label "USER_RULE: Block Rogue DNS"
      [ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 55111 ]
    pass in quick on pptp inet from xxx.xxx.xxx.xxx to any flags S/SA keep state label "USER_RULE: PPTP To Any"
      [ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 55111 ]
    anchor "tftp-proxy/*" all
      [ Evaluations: 968       Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 55111 ]
    anchor "miniupnpd" all
      [ Evaluations: 968       Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 55111 ]</spynet></consoles></consoles></consoles></consoles></spynet></private_networks></rr_dhcp_server></bogons></virusprot></webconfiguratorlockout></sshlockout></snort2c></snort2c> 
    
    $ pfctl -a miniupnpd -vsr
    

    This one doesnt yield any output

    Ran both these commands with one of my xbox's on and its status was displayed under Status/UPnP.



  • Any thoughts Ermal? I see a commit on the 22nd to Traffic Shaping on the LAN side, which was removed.  Does this apply to UPnP as well, that it is not able to be shaped?


Locked